How interesting... right after I posted about using a filtering router
as a firewall, someone says this...
> As for group 2, how about recommending that critical data be moved
> using a different protocol? All that's left to do is to turn off
> inbound services on the local net, install a decent packet-filtering
> router, and you're done. These guys don't need a firewall, NT or
> otherwise. If the above doesn't cut it for you, then a "somewhere in
> the middle" security solution won't cut it either.
But that *is* a firewall. A firewall isn't a piece of hardware, it's a
barrier between two domains with different security policies. It can be
implemented any number of ways, and if the requirements are right then
that's one of the ways to do it. Now people can still stealth-scan you
through a filter like that, but unless you have broken stacks that will
initiate a connection if you send them a SYN-ACK or you have a business
need to run UDP through the firewall (yes, you need to do something clever
about DNS) what harm does that do?